So far, the hackers appear to be focusing on organizations in Spain and Portugal. Labeled Raspberry Robin by cybersecurity company Red Canary in May 2022, this worm was initially thought to spread via compromised USB drives. However, in October, the Microsoft Threat Intelligence Team revealed that Raspberry Robin is distributed in other ways and is linked to other malware. In December 2022, Trend Micro also published an analysis of the virus, revealing that it delivers payloads via the Tor network and deploys fake payloads to avoid detection. Security Joes researchers have already detected Raspberry Robin twice this month, and it appears to be collecting a lot more data about victims. “Not only did we discover a version of the malware that is several times more complex, but we also found that the C2 beaconing, which used to have a URL with a plain-text username and hostname, now has a robust RC4 encrypted payload,” Felipe Duarte, a senior threat researcher at Security Joes, said.
Raspberry Robin: A ‘Unique’ Malware
Security Joes’ report said the Raspberry Robin worm spreads in the cloud infrastructures of data hosting organizations like Azure, Github, and Discord without detection. Not only is the malware built to evade detection, but it’s also difficult to reverse engineer. “What is unique about the malware is that it is heavily obfuscated and highly complex to statically disassemble. Dynamically peeling back one layer at a time, the researchers were ultimately able to find the inner config of the malware and get the Indicators of Compromise (IOCs) contained within it,” the report said. The researchers were able to link this malware to Raspberry Robin by analyzing its Indicators of Compromise (IOCs) and Tactics, Techniques & Procedures (TTPs). They also found that an IP address and QNAP server linked to Raspberry Robin was used to orchestrate attacks.
Upgrades to Raspberry Robin
Security Joes researchers said the malware is also much more complex now and includes a “robust RC4 encrypted payload” to encrypt victims’ data, researchers said. In one case, the malware infected a victim via a 7zip file containing an MSI installer that downloads files on the victim’s device and routes traffic via Tor. “It shows a similar pattern to the one shared by Microsoft in its report, but not the exact same. In fact, this was the first indication that the threat actors have updated several internal modules of this infamous botnet,” researchers added. In another case, the researchers found that a user downloaded a ZIP file, possibly from a malicious ad that popped up on the Microsoft Edge browser. “Once the user interacts with the malicious advertisement, they are redirected to an intermediary server 135.148.169[.]133 that provides the final URL where the malicious code is hosted,” the researchers explained. The malware is hosted on a Discord server to avoid detection and bypass security scans. Security Joes researchers recorded “at least five layers of protections before executing the actual malicious code.” Furthermore, the malicious Dynamic Link Libraries (DLLs) delete themselves from the memory system once the infection is complete, researchers said.
Raspberry Robin is Harder to Detect
The upgrades to the Raspberry Robin framework now allow “threat actors to implement additional validations on their backend to have a better segmentation and visibility of their targets.” This, in turn, allows hackers to run botnets in virtual sandbox environments and deploy various payloads while evading security researchers. In October, Microsoft noted that the Raspberry Robin worm was “part of a complex and interconnected malware ecosystem,” linked to other malware families and infection methods beyond just the initial USB drive infection vector. “Our continuous tracking of Raspberry Robin-related activity also shows a very active operation: Microsoft Defender for Endpoint data indicates that nearly 3,000 devices in almost 1,000 organizations have seen at least one Raspberry Robin payload-related alert in the last 30 days,” Microsoft said in October last year. Microsoft also noted that Raspberry Robin might be linked to ransomware groups like LockBit and EvilCorp. It is important to have real-time defenses on your devices in case you click on a malicious attachment on a website or open one from a phishing email. Organizations should have comprehensive anti-malware detection systems and phishing filters on corporate mailboxes. Individuals can use a premium anti-malware suite like Malwarebytes Premium. Take a look at our five best cybersecurity tools to learn more about how to defend your system from advanced threats.
